Australian Cybersecurity Draft Bill Exempts ‘Enforcement Agencies’

Under a new draft bill that is being put together by the Australian Federal government, the country’s telecommunication companies and law enforcement agencies are going to be exempt from rules that mandate victims being notified of a breach.

The Australian federal government recently published an exposure draft of data breach laws that are mandatory and require to be followed. Quite simply, an incident involving a data breach will require Australian companies and even foreign companies operating in Australia to notify or pass the data onto customers.

Australian entities will be required to notify people if their data is a part of a “serious data breach” that could potentially be a “real risk of serious harm” if released. The qualifying data includes medical records, personal information, credit card details among other information.

However, the bill exempts an “enforcement body” from notifying victims of a data breach, according to a report in the Guardian. An enforcement body could also be exempt from publishing details of the breach if the body “believes on reasonable grounds that compliance…would likely to prejudice one or more enforcement-related activities conducted by, or on behalf of, the enforcement body.”

This would mean enforcement bodies could also potentially circumvent any directive from the Australian privacy commissioner to make a data breach statement in public.

Among the many exempted enforcement bodies, some of them include:

  • The Australian Federal police
  • The Australian Crime Commission
  • The Australian Border Force among many others.

The current Australian information commissioner heaped praise on the draft bill by noting that the development of mandatory data breach notifications are a thing for the good. Commissioner Timothy Pilgrim said:

Notification enables people affected by a breach to take steps to protect their personal information; such as cancelling credit cards or updating log-ins with service providers.

A mandatory notification scheme will provide confidence to all Australians that, in the event of a serious data breach, they will be given the opportunity to manage their personal information accordingly.

The Australian government is currently taking submissions for the draft bill with the consultation process ending in March 2016.